Routing-Verification-as-a-Service (RVaaS) Trustworthy Routing - - PowerPoint PPT Presentation

routing verification as a service rvaas
SMART_READER_LITE
LIVE PREVIEW

Routing-Verification-as-a-Service (RVaaS) Trustworthy Routing - - PowerPoint PPT Presentation

Sep 28, 2023 346 likes •560 views

Routing-Verification-as-a-Service (RVaaS) Trustworthy Routing Despite Insecure Providers Liron Schiff Kashyap Thimmaraju Stefan Schmid Tel Aviv University, IL TU Berlin, DE Aalborg University, DK June 28, 2016 Liron, Kashyap, Stefan

slide-1
SLIDE 1

Routing-Verification-as-a-Service (RVaaS)

Trustworthy Routing Despite Insecure Providers Liron Schiff Kashyap Thimmaraju Stefan Schmid Tel Aviv University, IL TU Berlin, DE Aalborg University, DK June 28, 2016

Liron, Kashyap, Stefan Routing-Verification-as-a-Service (RVaaS) June 28, 2016 1 / 20

slide-2
SLIDE 2

Trustworthy Routing

At least a trustworthy Provider

Deutsche Telekom - https://goo.gl/9QdFBR Liron, Kashyap, Stefan Routing-Verification-as-a-Service (RVaaS) June 28, 2016 2 / 20

slide-3
SLIDE 3

Trustworthy Routing

Not all Providers offer that unfortunately

New Scientist - https://goo.gl/b4x78q Liron, Kashyap, Stefan Routing-Verification-as-a-Service (RVaaS) June 28, 2016 3 / 20

slide-4
SLIDE 4

Make the Provider more trustworthy

Trustworthy routing?

Give the Users visibility Visibility to connectivity Visibility to routes Visibility to performance

Liron, Kashyap, Stefan Routing-Verification-as-a-Service (RVaaS) June 28, 2016 4 / 20

slide-5
SLIDE 5

Make the Provider more trustworthy

Trustworthy routing?

Give the Provider confidentiality Keep the physical topology confidential Keep the network behaviour confidential Keep the Users data confidential

Liron, Kashyap, Stefan Routing-Verification-as-a-Service (RVaaS) June 28, 2016 5 / 20

slide-6
SLIDE 6

The Internet and Us

Implicit trust in the Provider’s routing

ISP A ISP D ISP B ISP C Web Server 5.6.7.8 Client 1.2.3.4

Liron, Kashyap, Stefan Routing-Verification-as-a-Service (RVaaS) June 28, 2016 6 / 20

slide-7
SLIDE 7

Traceroute: Visbility in the Internet

and into your Provider

traceroute to www.google.com (216.58.213.228), 1 192.168.0.1 3.057 ms 3.045 ms 3.387 ms 2 83.169.183.46 16.876 ms 19.954 ms 21.451 ms 3 88.134.234.89 21.436 ms 21.101 ms 21.421 ms 4 88.134.235.10 32.163 ms 33.150 ms 5 88.134.202.25 31.163 ms 38.290 ms 38.282 ms 6 72.14.198.218 38.241 ms 34.813 ms 34.785 ms 7 209.85.249.134 34.759 ms 24.141 ms 21.078 ms 8 209.85.253.241 30.762 ms 30.367 ms 30.367 ms 9 216.58.213.228 17.861 ms 21.913 ms 23.298 ms

Liron, Kashyap, Stefan Routing-Verification-as-a-Service (RVaaS) June 28, 2016 7 / 20

slide-8
SLIDE 8

SDN: Centralized Visibility and Control

Is this the elixir for networking?

Data-plane OpenFlow Control- plane

An overview of what SDN offers: Granular visibility, Policing, (Re)Configuration, etc..

Liron, Kashyap, Stefan Routing-Verification-as-a-Service (RVaaS) June 28, 2016 8 / 20

slide-9
SLIDE 9

Outline

Introduction Threat Model RVaaS Conclusion

Liron, Kashyap, Stefan Routing-Verification-as-a-Service (RVaaS) June 28, 2016 9 / 20

slide-10
SLIDE 10

SDN: A compromized control plane

Provider A Provider D Provider C Bob 5.6.7.8 Alice 1.2.3.4 Eve 6.6.6.6

A compromised control plane in Provider A can MITM Alice’s traffic to Eve

Liron, Kashyap, Stefan Routing-Verification-as-a-Service (RVaaS) June 28, 2016 10 / 20

slide-11
SLIDE 11

The Threat Model

The Clients/Users: Trusted or untrusted. The Provider:

Physical Infrastructure: Trusted. Control plane: Untrusted. Data plane: Trusted.

Liron, Kashyap, Stefan Routing-Verification-as-a-Service (RVaaS) June 28, 2016 11 / 20

slide-12
SLIDE 12

RVaaS

Trustworthy routing

Routing-Verification-as-a-Service Verifiable routing properties Confidentiality Low resource requirements

Provider A RVaaS Network Management

Liron, Kashyap, Stefan Routing-Verification-as-a-Service (RVaaS) June 28, 2016 12 / 20

slide-13
SLIDE 13

RVaaS

Components

Configuration Monitoring: Active/Passive Logical Verification: Header Space Analysis, Emulation In-band Test and Client Interaction: Packet-In, Packet-Out

Liron, Kashyap, Stefan Routing-Verification-as-a-Service (RVaaS) June 28, 2016 13 / 20

slide-14
SLIDE 14

RVaaS

What can RVaaS do?

Which destinations can I reach? Provider A Provider B Provider C Client A RvaaS Client A can reach ISP B and ISP C.

Liron, Kashyap, Stefan Routing-Verification-as-a-Service (RVaaS) June 28, 2016 14 / 20

slide-15
SLIDE 15

RVaaS

Who would use RVaaS?

ISPs Public cloud providers Private cloud providers Anybody who wants to keep track of their dataplane

Liron, Kashyap, Stefan Routing-Verification-as-a-Service (RVaaS) June 28, 2016 15 / 20

slide-16
SLIDE 16

RVaaS

Why use RVaaS?

Network visibility Enhance Provider and Client relationship Verfication as a service

Isolation checks Geo-location checks Fairness checks Routing/Forwarding table checks

Liron, Kashyap, Stefan Routing-Verification-as-a-Service (RVaaS) June 28, 2016 16 / 20

slide-17
SLIDE 17

RVaaS

in action

1 Integrity request packet 2 OpenFlow Packet In 3 3 OpenFlow Packet Out 4 Auth request packet 4 A A A B B B RvaaS controller

Liron, Kashyap, Stefan Routing-Verification-as-a-Service (RVaaS) June 28, 2016 17 / 20

slide-18
SLIDE 18

RVaaS

in action

1 Auth reply packet 1 2 OpenFlow Packet In 2 3 OpenFlow Packet Out 4 Integrity reply packet

RvaaS controller A A A B B B

Liron, Kashyap, Stefan Routing-Verification-as-a-Service (RVaaS) June 28, 2016 18 / 20

slide-19
SLIDE 19

Conclusion

We lack visibility into our Providers network and the Internet SDN offers excellent visibility into the network RVaaS leverages SDN to deliver routing verification to Clients and Providers

Liron, Kashyap, Stefan Routing-Verification-as-a-Service (RVaaS) June 28, 2016 19 / 20

slide-20
SLIDE 20

Questions?

Liron, Kashyap, Stefan Routing-Verification-as-a-Service (RVaaS) June 28, 2016 20 / 20